CVE-2026-0146: In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api
In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds write vulnerability exists in the Android kernel, specifically in the mfc_core_get_dec_metadata_sei_nal function of mfc_core_reg_api.c, which handles decoding of SEI NAL metadata in the MFC (Multi-Format Codec) media processing subsystem. The vulnerability is reachable over the network by a low-privileged authenticated user, with no victim interaction required. Successful exploitation gives the attacker full remote code execution within the kernel context, enabling complete control over confidentiality, integrity, and availability of the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Android or Android-derived container images, in both registry scans and CI/CD pipeline checks. Any image pulling from or embedding affected Android kernel components is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 8.8 (HIGH) and weighting it further against each environment's compliance policy to determine urgency and routing. Triage tickets are routable to the appropriate team inbox within each customer organization based on policy configuration.
AvailableNo upstream fix has been published for CVE-2026-0146 as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable code path is reachable over the network, meaning an attacker must be able to send requests to the exposed service across the internet or an internal network.
- AuthenticationRequired
A valid account with low-level privileges is sufficient to reach the vulnerable code path; no administrative or elevated credentials are needed.
- Victim interactionNot required
No user or victim action (such as clicking a link or opening a file) is needed; the attacker can trigger the vulnerability entirely without victim participation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.
Blast Radius
- The attacker achieves arbitrary code execution in the Android kernel context, giving full control over the compromised host.
- All data accessible to the kernel, including credentials, session tokens, and stored user data, can be read directly.
- The attacker can modify or corrupt kernel memory, persistent storage, and any data structures the kernel manages.
- The attacker can crash or destabilize the kernel, causing a device outage or forcing a reboot that disrupts running workloads.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix has been published, the platform monitors the CVE-2026-0146 advisory on every ingest cycle and will surface a patched-image rebuild the moment Google publishes a fix version for the affected Android kernel component. In the interim, customers can apply compensating controls through HarborGuard policy rules: network-policy isolation to restrict which services can reach MFC codec endpoints, egress filtering on affected workloads, and flag-gating or disabling media decoding features where operationally feasible. For customers with auto-remediation enabled, the transition from monitoring to active remediation (rebuild, regression run, and PR) will happen automatically without requiring a manual trigger once the upstream patch lands. Given the HIGH severity rating of 8.8, this CVE is prioritized in the triage queue and routed with elevated urgency under default HarborGuard policy settings.
- Google / AndroidAndroid kernel
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H